CCPA and CPRA Compliance Guide

The California Consumer Privacy Act (CCPA) and its successor amendment, the California Privacy Rights Act (CPRA), constitute the most expansive state-level consumer privacy regulatory framework in the United States. These statutes govern how businesses collect, use, share, and retain personal information about California residents, imposing enforceable obligations that extend well beyond California's borders due to the state's economic scale. For privacy professionals, compliance officers, and legal teams operating across U.S. markets, understanding the structural mechanics of both laws — and where they diverge — is foundational to building defensible data governance programs. This reference covers definitions, operational structure, classification logic, regulatory tensions, and enforcement context under both statutes.

• Definition and Scope
• Core Mechanics or Structure
• Causal Relationships or Drivers
• Classification Boundaries
• Tradeoffs and Tensions
• Common Misconceptions
• Compliance Checklist: Operational Elements
• Reference Table: CCPA vs. CPRA Comparison Matrix
• References

Definition and Scope

The CCPA, enacted in 2018 and effective January 1, 2020, established baseline consumer privacy rights for California residents under California Civil Code §1798.100 et seq.. The CPRA, passed by ballot initiative as Proposition 24 in November 2020 and fully operative from January 1, 2023, amended and expanded the CCPA by creating new rights categories, establishing an independent enforcement agency, and tightening data minimization requirements.

Both statutes apply to for-profit businesses meeting at least one of the following thresholds: annual gross revenues exceeding $25 million; buying, selling, or sharing personal information of 100,000 or more consumers or households per year (raised from 50,000 under the original CCPA); or deriving 50% or more of annual revenues from selling or sharing personal information (Cal. Civ. Code §1798.140(d)).

"Personal information" under both laws is defined broadly as information that identifies, relates to, describes, or is reasonably capable of being associated with a particular consumer or household. The CPRA added a distinct category called "sensitive personal information" (SPI), which carries heightened protections and includes Social Security numbers, precise geolocation, biometric data, health data, sexual orientation, and union membership.

The CCPA/CPRA regime applies to California residents, not California-based businesses. An organization headquartered in Texas, New York, or any other state remains subject to these statutes if it meets the thresholds above and processes the data of California residents. This geographic scope logic drives national-scale compliance obligations. Privacy professionals catalogued in the privacy providers provider network frequently specialize in multi-state compliance frameworks anchored to CCPA/CPRA.

Core Mechanics or Structure

The CCPA/CPRA framework operates through four interlocking mechanisms: consumer rights grants, business obligations, third-party data flow controls, and enforcement pathways.

Consumer Rights

Under the CPRA, California residents hold eight enumerated rights:
1. Right to know (categories and specific pieces of personal information collected)
2. Right to delete
3. Right to correct
4. Right to opt-out of sale or sharing
5. Right to limit use of sensitive personal information
6. Right to non-discrimination for exercising rights
7. Right to access (portability)
8. Right to opt-in for minors under 16

The right to "limit use" of SPI is new to the CPRA and has no equivalent in the original CCPA.

Business Obligations

Covered businesses must provide a "Notice at Collection" disclosing categories of personal information collected and the purposes of collection. They must maintain a Privacy Policy updated at minimum every 12 months. They are required to honor opt-out requests through a clear and conspicuous "Do Not Sell or Share My Personal Information" link. The CPRA additionally mandates a "Limit the Use of My Sensitive Personal Information" link or a combined opt-out/limit link.

Third-Party Data Flows

The CPRA replaces the CCPA concept of "service providers" with a tripartite classification: service providers, contractors, and third parties. Contracts with service providers and contractors must include specific limitation clauses. Data broker registration requirements under the California Data Broker Registry (California AG, Data Broker Registry) apply separately to businesses that sell data without a direct consumer relationship.

Enforcement

Enforcement shifted substantially with the CPRA. The California Privacy Protection Agency (CPPA), a standalone agency created by Proposition 24, assumed rulemaking authority from the California Attorney General as of July 1, 2023 (CPPA official site). Civil penalties reach $2,500 per unintentional violation and $7,500 per intentional violation or violation involving a minor's data (Cal. Civ. Code §1798.155). The CCPA also provides a private right of action for data breaches involving unauthorized access to unredacted, unencrypted personal information, with statutory damages between $100 and $750 per consumer per incident.

Causal Relationships or Drivers

The CCPA originated from a 2018 ballot initiative threat by privacy advocate Alastair Mactaggart. To forestall a more stringent ballot measure, the California Legislature passed AB 375 (2018) as a compromise. The CPRA emerged from a second Mactaggart-funded initiative (Proposition 24) following widespread industry lobbying that critics argued weakened CCPA's original provisions.

At the federal level, the absence of a comprehensive U.S. federal privacy law — the American Data Privacy and Protection Act (ADPPA) passed the House Energy and Commerce Committee in 2022 but stalled in the full Congress — positions CCPA/CPRA as the de facto national standard for privacy compliance architecture. Organizations building compliance programs for California operations typically extend that framework to other state laws passed in its wake, including the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA).

The privacy provider network purpose and scope provides context on how the broader U.S. privacy compliance services sector is organized relative to these state-law frameworks.

Classification Boundaries

Distinguishing which entities and data types fall within — or outside — the CCPA/CPRA scope is a recurring operational challenge.

Exempt Entities
- Nonprofit organizations (explicitly excluded from the "business" definition)
- Government agencies
- Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA) for GLBA-covered activities
- Healthcare providers covered under HIPAA for PHI

Exempt Data Categories
- Protected health information (PHI) regulated under HIPAA
- Financial data regulated under GLBA
- Employee data (covered under a separate CPRA employee privacy notice obligation, but exempt from most consumer-facing rights through January 1, 2023 under a sunset clause that expired — full employee rights coverage now applies)
- Publicly available information from government records

The B2B Exemption Expiration

The original CCPA included a temporary exemption for business-to-business (B2B) communications data and employee/job applicant data. Both exemptions expired on January 1, 2023. Under the CPRA, California employees, contractors, and job applicants now hold the same rights as consumers against covered businesses.

Tradeoffs and Tensions

Opt-Out vs. Opt-In Architecture

The CCPA/CPRA uses an opt-out model for adults (consumers must affirmatively act to stop sale or sharing), while requiring opt-in consent for consumers under 16. European regulators operating under the General Data Protection Regulation (GDPR) require opt-in consent as the default for most processing activities. Organizations operating transatlantically must maintain divergent consent architectures, increasing engineering and legal overhead.

Data Minimization vs. Analytics Utility

The CPRA's data minimization principle — personal information collection must be "reasonably necessary and proportionate" to disclosed purposes — conflicts with the data maximization logic that drives predictive analytics, machine learning model training, and behavioral advertising. No quantified threshold defines "proportionate," leaving compliance teams to make risk-calibrated judgment calls subject to CPPA review.

CPPA Rulemaking Pace

The CPPA's rulemaking schedule has introduced regulatory uncertainty. Final regulations covering cybersecurity audits, risk assessments, and automated decision-making technology were still in public comment or finalization phases as of the CPPA's 2023 enforcement cycle commencement. Businesses face the structural tension of building compliance programs against rules that remain in flux.

Private Right of Action Scope

The private right of action under CCPA §1798.150 is limited to data breaches — it does not extend to violations of consumer rights requests or notice requirements. This asymmetry means enforcement of operational obligations relies primarily on CPPA regulatory action, not private litigation, creating a bottleneck tied to agency capacity.

Common Misconceptions

Misconception 1: CCPA/CPRA applies only to California-based businesses.
Correction: The residency of the consumer determines applicability, not the location of the business. A business incorporated in Delaware with operations in Ohio is subject to CCPA/CPRA if it meets the revenue or data volume thresholds and processes California resident data.

Misconception 2: Selling data is required to trigger compliance.
Correction: The CPRA added "sharing" — defined as disclosing personal information for cross-context behavioral advertising purposes for no monetary consideration — as a separately regulated activity. A business that does not sell data may still trigger opt-out obligations through ad targeting pixels that share behavioral data with advertising platforms.

Misconception 3: A Privacy Policy is sufficient for compliance.
Correction: A Privacy Policy satisfies the annual disclosure requirement but does not fulfill notice-at-collection obligations, data subject request (DSR) response infrastructure, vendor contract requirements, or the separate SPI limitation mechanism.

Misconception 4: Small businesses under the revenue threshold are categorically exempt.
Correction: Threshold exemption applies per-criterion. A startup with revenues below $25 million that processes personal information of 100,000 or more California consumers or households per year meets the second threshold independently and is covered.

Misconception 5: Employee data remains exempt.
Correction: The employee data exemption sunset expired January 1, 2023. Covered businesses must now provide full CPRA-compliant privacy notices to California employees and honor applicable rights requests. For compliance professionals navigating this transition, the how to use this privacy resource page provides orientation on available service categories.

Checklist or Steps (Non-Advisory)

CCPA/CPRA Operational Compliance Elements

The following represents the structural elements that a compliant CCPA/CPRA program addresses. This is a reference enumeration of program components, not a legal prescription.

1. Data mapping and inventory — Document all categories of personal information collected, sources, purposes, third-party disclosures, and retention periods.
2. Threshold determination — Verify applicability against the three CPRA thresholds annually, including the revised 100,000 consumer/household figure.
3. Notice at Collection — Implement at each point of collection; must appear before or at the time of collection.
4. Privacy Policy — Update at minimum every 12 months; must include all CPRA-required disclosures including SPI categories and retention periods.
5. Opt-out mechanisms — Deploy "Do Not Sell or Share My Personal Information" link; implement Global Privacy Control (GPC) signal recognition, which CPPA regulations treat as a valid opt-out signal.
6. SPI limitation mechanism — Deploy separate "Limit the Use of My Sensitive Personal Information" link or combine with the opt-out link using CPPA-approved formatting.
7. DSR intake and response infrastructure — Establish two or more designated methods for submitting consumer rights requests; maintain 45-day response timeline with one permitted 45-day extension.
8. Vendor contract review — Audit and update service provider, contractor, and third-party agreements to include CPRA-required limitation clauses.
9. Employee/HR notice — Issue California employee, contractor, and job applicant privacy notices covering CPRA rights.
10. Data broker registration — Determine whether the business qualifies as a "data broker" under California law and register with the California AG's Data Broker Registry if applicable.
11. Security program alignment — Implement reasonable security measures; CCPA §1798.150 private right of action exposure is triggered by unauthorized access to unredacted personal information.
12. Incident response integration — Align breach notification with CCPA private right of action exposure and California AG breach notification requirements under California Civil Code §1798.82.

Reference Table or Matrix

CCPA vs. CPRA: Key Structural Differences